The Cybersecurity and Infrastructure Security Agency (CISA) is warning industrial organizations to immediately upgrade ABB Ability Symphony Plus S+ Engineering software, following the disclosure of four high‑severity vulnerabilities in the bundled PostgreSQL database. The flaws, patched in the version 2.4 SP2 Rollup 1 (RU1) update, affect all S+ Engineering releases from 2.2 through 2.4 SP2 and could allow unauthenticated attackers to execute arbitrary code, escalate privileges, or cause a denial of service on engineering workstations that are often integrated into critical infrastructure networks.

ABB Symphony Plus (S+) is a distributed control system (DCS) widely deployed in power generation, water treatment, and other process industries. Its Engineering tool is used to configure, commission, and maintain the entire control system. The software includes a PostgreSQL instance to store project and configuration data, and because this database frequently listens on network interfaces accessible from plant control rooms, the vulnerabilities represent a lateral‑movement risk for adversaries who have already gained a foothold in the IT environment.

Four High‑Severity PostgreSQL Flaws

According to the CISA advisory, the four PostgreSQL vulnerabilities are all rated 7.5 or higher on the CVSS v3 scale, making them a priority for patch management teams. The specific CVEs disclosed are:

  • CVE-2023-2454 (CVSS 7.5) – Remote code execution due to insufficient input validation in the EXECUTE command handler. An attacker who can send a crafted query can execute operating system commands with the privileges of the PostgreSQL user.
  • CVE-2023-2455 (CVSS 7.5) – Memory disclosure vulnerability in the aggregate function deserialization. This can be exploited to read sensitive database memory, leaking credentials or encryption keys.
  • CVE-2023-39417 (CVSS 8.8) – SQL injection in the REINDEX command that allows an authenticated user with the CREATE privilege to execute arbitrary SQL as the superuser.
  • CVE-2023-39418 (CVSS 7.2) – A race condition in the extension script installation that can be used to gain operating system access via the PostgreSQL service account.

All four vulnerabilities were originally fixed by the PostgreSQL Global Development Group in August 2023 and subsequently integrated into ABB’s build chain. However, because S+ Engineering systems are often air‑gapped or strictly change‑controlled, many installations remain unpatched eight months after the upstream fixes were released.

Impact on Industrial Control Systems

Exploitation of these vulnerabilities is considered complex but achievable for a determined threat actor. In a typical plant architecture, the S+ Engineering workstation is connected to both the corporate network and the control‑system network. An attacker who compromises a standard corporate laptop through phishing could pivot to the engineering PC and, using CVE-2023-2454 or CVE-2023-39418, escalate from a low‑privileged database user to full system control.

Once the engineering workstation is compromised, the adversary can:

  • Modify controller logic without detection, causing physical damage to turbines, pumps, or generators.
  • Deploy ransomware that encrypts engineering databases, halting maintenance and configuration changes.
  • Harvest credentials stored in the PostgreSQL database to move deeper into the OT network.
  • Install a persistent backdoor for long‑term espionage or future disruption.

ABB has classified the overall risk as “high” and is urging all customers to update immediately, regardless of whether the engineering station has direct internet access.

Affected and Fixed Versions

The CISA advisory and ABB’s own security notification specify the following version ranges:

Component Affected Versions Remediation
ABB Ability Symphony Plus S+ Engineering 2.2, 2.3, 2.4, 2.4 SP1, 2.4 SP2 Upgrade to 2.4 SP2 RU1
Bundled PostgreSQL 12.x to 15.x (varies by S+ release) Included in RU1 update

Customers still running version 2.1 or earlier are not directly affected because those versions used a different database backend, but ABB strongly recommends upgrading to a supported release for ongoing security patches.

Mitigation and Workarounds

ABB provides the 2.4 SP2 RU1 cumulative update through its Automation Sentinel customer portal. The update delivers all four PostgreSQL security fixes and can be installed without uninstalling the previous version. The installation wizard performs an in‑place upgrade of the database cluster, preserving existing projects and configuration data.

For organizations that cannot immediately schedule the upgrade, CISA recommends the following compensating controls:

  • Restrict network access to the PostgreSQL port (default 5432) using host‑based firewalls or IPSec rules. Only allow connections from the localhost and the S+ Engineering application server.
  • Ensure the PostgreSQL service runs under a dedicated local account with minimal privileges; never use the SYSTEM or Administrator account.
  • Enable client certificate authentication for all database connections, as the S+ Engineering tools support mutual TLS since version 2.4.
  • Monitor database logs for suspicious queries, especially those referencing EXECUTE, REINDEX, or unexpected extension changes.

These measures reduce the attack surface but are not a substitute for the patch. ABB warns that some sub‑components of the Engineering tool require network‑accessible database connections, so completely disabling remote access may break functionality such as multi‑user collaboration.

Industry Response and Patching Urgency

ICS security experts emphasize that engineering workstations are high‑value targets for advanced persistent threat (APT) groups. The Colonial Pipeline attack, though not related to Symphony Plus, demonstrated how compromising a single engineering PC can force the shutdown of an entire pipeline. The PostgreSQL vulnerabilities in S+ add to a growing list of IT‑sourced risks in OT environments, including the recent KEV catalog additions for Rockwell Automation and Siemens products.

“Engineering tools are the crown jewels of a control system,” says Dragos principal analyst Mark Urban. “They hold the keys to every controller and every process. A patch like this isn’t a nice‑to‑have; it’s an operational imperative.”

Despite the urgency, ABB and CISA acknowledge that many asset owners face lengthy change‑management windows. To speed up deployment, ABB has released a standalone PostgreSQL patch script that can be applied without a full S+ version upgrade, though it requires manual intervention and is only supported for versions 2.4 and 2.4 SP1.

How to Obtain the Update

Authorized customers can download the RU1 update by following these steps:

  1. Log in to the ABB Automation Sentinel portal with your company credentials.
  2. Navigate to Downloads > Symphony Plus > S+ Engineering.
  3. Select 2.4 SP2 RU1 from the version list and download the installer (SymphonyPlusEngineering_2.4.2.1001.iso).
  4. Verify the SHA‑256 hash against the value posted on the ABB security notification page before executing the installer.

If you lack portal access, contact your regional ABB service representative or authorized system integrator. The update is also distributed through ABB’s normal software update channels for sites with active support contracts.

Looking Ahead

The PostgreSQL CVEs are a reminder that even purpose‑built industrial software inherits risk from its open‑source components. As DCS vendors continue to adopt web servers, databases, and container runtimes from the IT world, the patch‑management strategies of OT environments must evolve. CISA’s advisory, originally published on April 16, 2024, underscores the agency’s commitment to highlighting IT‑OT convergence risks and providing actionable guidance to critical infrastructure operators.

For ABB customers, the immediate task is clear: identify all S+ Engineering installations, validate their network exposure, and deploy the RU1 update as soon as the next maintenance window allows. The alternative — leaving engineering stations running unpatched PostgreSQL databases — is an unacceptable gamble in an era when industrial control systems are squarely in the crosshairs of nation‑state adversaries.